BKDR_PLUGX.BW
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
THUNDERBIRD SERVICE = ""{Malware Path and File Name}""
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CLASSES_ROOT\MJ
It adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\MJ
CLSID = "{random hex values}"
Other Details
This backdoor connects to the following possibly malicious URL:
- https://strew.{BLOCKED}darydns.com
It requires its main component to successfully perform its intended routine.